Arbitrary File Write Vulnerability in Spring Integration ZIP by Pivotal
CVE-2018-1261

4.7MEDIUM

Key Information:

Vendor

Pivotal

Vendor
CVE Published:
11 May 2018

What is CVE-2018-1261?

An arbitrary file write vulnerability exists in Spring Integration ZIP versions prior to 1.0.1 due to improper handling of specially crafted zip archives. Malicious users can exploit this vulnerability using path traversal filenames to write files outside of the intended extraction directory. This issue can affect other archive formats, including bzip2, tar, xz, war, cpio, and 7z, posing a significant risk if exploited.

Affected Version(s)

Spring Integration Zip 5.0.x prior to 5.0.6; 4.3.x prior to 4.3.17

References

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.